Apple and Meta provided user information to hackers who used forged requests to obtain the information. According to people familiar with the situation, such requests can only be fulfilled with a search warrant or subpoena signed by a US judge, but emergency requests do not require a court order to be fulfilled.
Following the guidelines cited by Apple, a supervisor for the United States government or a member of the law enforcement agency who submitted the request may “be approached by Apple and asked if the emergency request was legitimate,” according to the guidelines.
According to three people with direct knowledge of the situation, Apple Inc. and Meta Platforms Inc., the parent company of Facebook, provided customer data to hackers who pretended to be law enforcement officials in exchange for money.
In response to the forged “emergency data requests,” Apple and Meta provided basic subscriber details, such as a customer’s address, phone number, and IP address, in mid-2021 to the fictitious government agencies. In most cases, according to the people, such requests are only fulfilled with the assistance of a search warrant or subpoena signed by a judge. The emergency requests, on the other hand, do not necessitate a court order.
A forged legal request was sent to Snap Inc. by the same hackers, but it is not known whether or not the company responded with information in response. It’s also unclear how many times the companies were compelled to provide information as a result of forged legal requests.
Cybersecurity researchers believe that some of the hackers who are sending the forged requests are minors who are based in the United Kingdom and the United States of America. According to the sources, one of the minors is also believed to be the mastermind behind the cybercrime group Lapsus$, which has hacked into companies such as Microsoft Corp., Samsung Electronics Co., and Nvidia Corp., among others. The City of London Police recently detained seven individuals in connection with an investigation into the Lapsus$ hacking group; the investigation is still ongoing at this time. order.
A representative for Apple pointed Bloomberg News to a section of the company’s law enforcement guidelines as a source.
Apple and Meta provided user information to hackers who used forged requests
A supervisor for the government or law enforcement agent who submitted the request “may be contacted and asked to confirm to Apple that the emergency request was legitimate,” according to the Apple guidelines. “The emergency request was legitimate,” the Apple guidelines state.
Meta spokesman Andy Stone say, “we review every data request to ensure that it is legal and that it does not violate any laws.” “We use advanced systems and processes to validate law enforcement requests and detect abuse,” Stone said in a statement. The company says it “blocks known compromised accounts from making requests” and “works with law enforcement to respond to incidents involving suspected fraudulent requests,” such as the one in question.
A spokesperson for Snap said the company has safeguards in place to detect fraudulent requests from law enforcement. Snap did not immediately respond to a request for comment on the case.
The information about users on social media platforms is routinely requested by law enforcement agencies around the world as part of criminal investigations. In the United States, such requests are typically accompanied by a signed order from a judge. The emergency requests are intended to be used in situations of imminent danger and do not require the approval of a judge to be granted.
According to three people who are involved in the investigation, hackers affiliated with a cybercrime group known as “Recursion Team” are suspected of being behind some of the forged legal requests that were sent to companies throughout the year 2021.
Although the Recursion Team is no longer active, many of its members continue to carry out hacks under various guises, including as members of the Lapsus$ hacking collective, according to the sources.
According to one of the people familiar with the investigation, the information obtained by the hackers through the use of forged legal requests has been used to enable harassment campaigns to take place. According to the three individuals, it is most likely to be used to facilitate financial fraud schemes. The hackers could use the victim’s information to aid them in their attempt to circumvent account security if they knew what it was.
In order to protect the identities of those who were targeted, Bloomberg has withheld some specific details about the events.
According to two sources, the fraudulent legal requests are part of a months-long campaign that has targeted a large number of technology companies and has been ongoing since as early as January 2021. According to the three people and one additional person who are investigating the matter, the forged legal requests are believed to be sent via hacked email domains belonging to law enforcement agencies in multiple countries.
The forged requests were made to appear legitimate in order to gain acceptance. According to two of the individuals, the documents contained forged signatures of real or fictional law enforcement officers in some instances. According to one of the people who spoke with the FBI, the hackers may have discovered legitimate legal requests through the compromise of law enforcement email systems and used them as a template to create forgeries.
Every time one of these companies made a mistake, at the heart of it was a person who was trying to do the right thing, according to Allison Nixon, chief research officer at Unit 221B, a cyber security firm. “I can’t tell you how many times trust and safety teams have quietly saved lives because employees were given the legal flexibility to respond quickly to a tragic situation that was unfolding for a user,” says the author.
Earlier this week, cybersecurity blog Krebs on Security reported that hackers had forged an emergency data request in order to obtain information from the messaging app Discord. Bloomberg reported that Discord confirmed that it had also complied with a forged legal request in a statement to the publication.
As Discord explained in a statement, “we verify these requests by ensuring that they originate from a legitimate source, as we did in this instance.” We later discovered that the law enforcement account had been compromised by a malicious actor, despite our verification process having confirmed that the account itself was legitimate. We have since launched an investigation into this illegal activity and informed law enforcement authorities about the compromised email account,” says the company.
Apple and Meta both publish information about their compliance with requests for emergency data.
Apple received 1,162 emergency requests from 29 different countries between July and December 2020. The company’s report states that it provided information in response to 93 percent of the requests received.
From January to June 2021, Meta said it received 21,700 emergency requests from around the world, with some data being provided in response to 77 percent of those requests.
“In an emergency, law enforcement officers may submit requests without the need for legal process,” according to Meta’s website. “Depending on the circumstances, we may voluntarily disclose information to law enforcement if we have a good faith belief that the matter involves an imminent risk of serious physical injury or death,” the company says.
It is a patchwork of different email addresses and company portals that are used to request information from companies. Due to the fact that there are tens of thousands of different law enforcement agencies around the world, ranging from small police departments to federal agencies, completing legal requests can be a difficult undertaking. In terms of the request and release of user data, different jurisdictions have enacted different legislation.
As Jared Der-Yeghiayan, a director at cybersecurity firm Recorded Future Inc. and a former cyber program lead for the Department of Homeland Security, put it: “There is no single system or centralized system for submitting these things.” “Every single agency has a different approach to dealing with them.”
Although companies such as Meta and Snap have their own legal request portals for law enforcement to use, Der-Yeghiayan explained that they still accept legal requests via email and monitor them 24 hours a day on their servers.
The legal guidelines published by Apple state that the company will accept legal requests for user data sent to an apple.com email address “provided that it is transmitted from the official email address of the requesting agency.”
Because the login information for law enforcement email domains is available for purchase on online criminal marketplaces, it is possible to compromise the email domains of law enforcement agencies around the world in some cases with relative ease.
As Gene Yoo, CEO of the cybersecurity firm Resecurity, Inc. explained, “Dark web underground shops contain compromised email accounts of law enforcement agencies, which can be sold with the attached cookies and metadata for anywhere from $10 to $50.”
As a result of previously unknown vulnerabilities in Microsoft Exchange email servers, multiple law enforcement agencies were targeted last year, according to Yoo, “resulting in further intrusions.”
According to Nixon, of Unit 221B, finding a potential solution to the use of forged legal requests sent from hacked law enforcement email systems will be difficult.
“The situation is extremely complicated,” she explained. “It is not as simple as simply turning off the data flow to fix the problem. In addition to maximizing privacy, there are numerous other considerations to be taken into account.”
Read also: Is Jimmy Fallon the Worst Late Night Host , and Verizon Users Report Dodgy Messages | How to Stop Spam Texts
You can Check also:
- Answers To Your Questions About Home Inspections
- How To Maximize A Small Living Space?
- Deep-Cleaning Tips For Homeowners
- 10 Ways To Make Your Home Energy-efficient
- How to Enjoy a Weekend With Your Kids
- How to wipe your Android phone to selling or trading it in
- IN 6 Steps, Learn How to Start a Vegetable Garden